<div dir="auto">Hello,<div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">There is an ssldump example on <a href="http://kamailio.org">kamailio.org</a> wiki to see the cipher suits. </div><div dir="auto"><br></div><div dir="auto">AFAIK it depends on your certificate/ca and how you create it.</div><div dir="auto"><br></div><div dir="auto">I see this with an test self-signed certificate that I did with one cipher only. </div><div dir="auto"><br></div><div dir="auto">And of course you client need support for it. </div></div><div class="gmail_extra"><br><div class="gmail_quote">Am 02.01.2018 5:16 nachm. schrieb "Steve" <<a href="mailto:smh2017@zoho.com">smh2017@zoho.com</a>>:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p></p>
<p>
<p class="MsoNormal">I have a question about deploying TLSv1.2
with Kamailio
4.3.4-1 on a Lubuntu 16.4.3 desktop environment. I changed the
Kamailio default
<i>tls.cfg</i> file under the
section
[server:default] to “method=TLSv1.2” and am using OpenSSL 1.0.2g<span> </span>from the Lubuntu
repository. All the programs
were loaded through the Synaptic Package Manager.
</p>
<p class="MsoNormal">My question is whether this version of
Kamailio supports the
cipher suite ECDHE-RSA-AES256-GCM-SHA384. My version of OpenSSL
lists it as an
option, but the highest strength cipher that the Kamailio 4.3.4
server seems to
accept is RSA-AES256-GCM-SHA384. My (limited) understanding is
that ECDHE is a
better method of key exchange than RSA because it is ephemeral
with forward
secrecy. </p>
<p class="MsoNormal">I used Wireshark to look at the connection
protocols for sip
clients Jitsi and Blink with the Kamailio server. Jitsi offers
only four cipher
choices of what I understand are considered compromised security
TLS protocols
and it connected with the RSA-AES128-CBC-SHA cipher. Blink
offers 65 cipher
choices, starting with ECDHE-RSA-AES256-GCM-SHA384. My Kamailio
server accepted
the 29<sup>th</sup> offering on the list, RSA-AES256-GCM-SHA384.
Unless I am
missing something, Kamailio 4.3.4 doesn’t seem to support
ephemeral DH key
exchanges. Is there some other TLS configuration file or setting
for Kamailio that
can be changed to allow this?</p>
</p>
<div id="m_5244919164888980266DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br>
<table style="border-top:1px solid #d3d4de">
<tr>
<td style="width:55px;padding-top:13px"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" width="46" height="29" style="width:46px;height:29px"></a></td>
<td style="width:470px;padding-top:12px;color:#41424e;font-size:13px;font-family:Arial,Helvetica,sans-serif;line-height:18px">Virus-free. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link" style="color:#4453ea" target="_blank">www.avast.com</a>
</td>
</tr>
</table><a href="#m_5244919164888980266_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></div>
<br>______________________________<wbr>_________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/<wbr>cgi-bin/mailman/listinfo/sr-<wbr>users</a><br>
<br></blockquote></div></div>